Tony Nguyen wrote:
>
> The design strongly encourages your described scenario though presented
> differently. The overall policy is split into two global layers, Global
> Default and Global Override.
>
> - Initially, services are set to inherit Global Default's policy so
> service specific rules enforces the same policy(block or allow the same
> set of network entities). This is the preferred and default settings for
> services.
>
> - Administrator can, however, choose to set a different policy for a
> specific service. This action potentially exposes the system, but only
> through that service and is a user's conscious decision.
>
> - The Global Override allows another set of global rules, overall
> policy, that takes precedence over the needs of all services. This
> explicit global override policy makes it clear services' policies are
> restricted by another overall policy.
Yes, I got that from reading the design document, and the Global
Override seems to accomplish what I was looking for in terms of a global
policy that cannot be undone by individual services.
However, a highly desirable related property would be assurance that
individual service rules cannot conflict with each other. As you said in
response to another email:
> A service is expected to only generate rules relevant to its
> network traffic.
It would be ideal if the way of expressing service rules made it
impossible to affect other services. I don't think the current syntax
for service rules provides that assurance (and it may not be feasible to
do so), but it would be great if it could.
Scott
